Data Freedom and Regulation

February 11, 2013

HIPAA creates a floor, not a ceiling.

The HIPAA laws passed in the US to provide for better privacy an security of medical information seem to be a joke in many of the situations in which I’ve dealt with medical providers. It almost seems like signing a HIPAA acknowledgment form is a formality and as patients, we should understand that HIPAA provides for standard requirements and protections for our data. However I’m not sure that’s the case.

This article talks about the HIPAA laws being a floor, not a ceiling, and a patchwork of laws in various states superceed what HIPAA requires. However in doing so, they create inconsistent regulations and rules that people struggle to understand, and with which technology cannot keep up. I’d take issue with the comment that “Digital systems to move information need simplicity”. It’s not true. Our digital systems are very adept at handling exceptions and variable routing and security when they are programmed to do so. The problem is ensuring the people writing the code understand all of the rules for the exceptions.

The article talks about the approach Hawaii has taken, in scrapping older laws and simplifying them to comply and expand the HIPAA requirements so that providers and patients can understand how to handle data. I suspect that few governments will take this approach, but it’s precisely what’s needed, in all fields, for those of us working with data to build systems that can not only comply with the laws, but also protect data in a secure manner.